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Abstract—This work advocates for cognitive biometric-enabled 
systems that integrate identity management, risk assessment and 
trust assessment. The cognitive identity management process 
is viewed as a multi-state dynamical system, and probabilistic 
reasoning is used for modeling of this process. This paper 
describes an approach to design a platform for risk and trust 
modeling and evaluation in the cognitive identity management 
built upon processing heterogeneous data including biometrics, 
other sensory data and digital ID. The core of an approach is 
the perception-action cycle of each system state. Inference engine 
is a causal network that uses various uncertainty metrics and 
reasoning mechanisms including Dempster-Shafer and Dezert- 
Smarandache beliefs. 


I. INTRODUCTION AND MOTIVATION 


The future generation security checkpoint for mass-transit 
hubs and large public events is anticipated to be a system 
that combines: biometric-enabled authentication [12], [19], 
[31], [45] and watchlist check [32], screening strategies [37], 
deception feature detection [1], [41], [43], [55], as well as 
concealed illicit item detection [38], [53]. Such a system will 
be an integral part of the security infrastructure, including 
logistics and surveillance network with abilities of tracking 
individuals-of-interest and analyzing the group behavior. This 
vision is introduced, in particular, in the International Air 
Transport Association technology roadmap “Checkpoint of the 
future” [27]. 

The currently being developed concept of a future check- 
point is called a cognitive checkpoint. This concept is more 
complicated compared to the classic security paradigms such 
as layered security model [9], [29], [49], [54], or a dynamic 
individual risk update [37]. The cognitive checkpoint is a 
semi-automated system, which deploys the AI to process the 
data sources and to assess trust and risk; this assessment 1s 
submitted to a human operator for the final decision. Fig. 1 
depicts the concept of cognitive identity management: 

1) An individual is a subject of authentication and risk 
assessment based on acquired physical and virtual (online) 
sources of information. Four physical sources include data 
captured in the following bands: 

— Source A: Acoustic domain as a human-machine commu- 


nication channel with frequency range of 70 to 200 Hz 
for men, 150 to 400 Hz for women, and 200 to 600 Hz 
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Fig. 1. Four information sources for machine reasoning at the security 


checkpoint: biometrics in infrared (3 — 12j4m), audio (70-600 Hz), and visual 
(400 — 700um) spectral bands, and UWB radar illumination (3-10 GHz). 


for children; the pitch, loudness and timbre of a human 
voice are the main parameters used by an e-interviewer 
for emotions and deception detection [1], [41], [55] [62]; 

— Source B: Infrared domain; the human body radiates non- 
visible infrared light (3 — 12um waves) in proportion to 
its temperature; this band is used for assessment of both 
cognitive and physical state [43]; 

— Source ČC: Visual domain, 400 — 700m, for authentica- 
tion and emotional state assessment using face and face 
expression recognition [31], [32]; 

— Source D: Radar illumination, 3—10 GHz; certain con- 
cealed items can be detected using the Ultra Wide Band 
(UWB) radar [24], [38]. 


2) There is a deep causal relationship between the 


above sources of information. For example, gait and be- 
havior/emotion pattern are correlated with possible possession 
of illegal concealed items [1], [41], [55]. 

3) Machine reasoning is the key operation in these techno- 
logies [62]. For example, an insobriety pattern can be reasoned 
upon analysis of thermal (infrared) measurements of face 
temperature, as well as body gesture and speech abnormalities. 
Such reasoning is performed under uncertainty, and, thus it is 
a probabilistic reasoning. 

As the AI components for processing of heterogeneous data 
become more independent and sophisticated, the implications 
of their actions become more serious. Such AI tools perfor- 
ming actions on behalf of an operator could make errors that 
are difficult to “undo”, for example, mis-identification of a 
person-of-interest. Moreover, for AI to operate effectively on 
the human’s behalf, they might need confidential or sensitive 
information of the users such as financial details and personal 
contact information [11]. Trust becomes very important if 
an AI actions can cause their user physical, financial, or 
psychological harm. Thus, the users and the operators must 
be confident that the AI tools will do what they ask, and only 
what they ask. That is, a trusting relationship must develop 
between the humans and the AI tools. In the context of AI 
in identity management, trust means no longer controlling the 
AI tools directly, and letting the AI act on the human’s behalf 
and accepting the risks this might entail. 

Human acceptance of AI technology is determined by the 
combination of both trust and risk factors (e.g. Can we trust 
this machine decision?) and risk factors (e.g. How risky is 
this machine decision?) [2], [23], [58], [63]. The contributing 
factors include belief, confidence, experience, certainty, relia- 
bility, availability, competence, credibility, completeness, and 
cooperation [10]. Feelings of trust and risk can be established 
quite independently, and together they determine the intelligent 
tools success. Note that trust contributes to the AI tools 
acceptance, while risk contributes to its rejection. Trust and 
risk influence each other reciprocally [30]. It should be noted 
that Dempster-Shafer (DS) theory intrinsically contains the 
probabilistic ingredients for assessment of the system trust 
and risk. These possibilities are used, for example, for trust 
modeling in securing online reputation systems [34] and for 
risk validation in certificate security [26]. 

Computing the risk and trust under identity uncertainty has 
only been so far, partially studies. For example, effects of 
impersonation were studied in [61]. The risk countermeasures 
were studied in [6]. However, true Al-based decision making 
possibilities at the security checkpoint were not exploited. 
Few pilot projects on biometric-enabled AI technologies for 
identity management have been reported [22], [28], [33]. 
Technology-independent model of a checkpoint for border 
crossing security is given in Fig. 2 [62]. 

This work advances a technology further. We propose an 
approach based on the decomposition of the risk and trust 
assessment into a multi-state process based on the paradigms 
of 1) a multi-perception-action cycle (local and global), and 
2) a cognitive computation concept (inspired by the cognitive 
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Fig. 2. Technology-independent model of a multi-state security checkpoint. 
The subject (traveler)’s risk is assessed using various mechanisms such 
as forward propagation (a process from effect to causes) and backward 
propagation (a process from causes to effect) of risk and trust through the 
states. Risk and trust are adjusted using their causal relationships. This is the 
core principle of traveler’s risk mitigation. 


dynamic systems [25]). The associated risks and trust are 
propagated from the first state (input data acquired using 
multiple cross-spectral sensors as well as prior data and 
any contextual data) to the last state (output data in the 
form of posterior probabilities and recommendations). At each 
intermediate state, the risks an trust are analyzed, updated, 
mitigated (via eliciting more information), and predicted. In 
legacy systems, risk assessment is performed by humans, such 
that data from ID readers and sensors is processed separately, 
and is supplied to a human operator to make a decision. In an 
Al-enabled decision support, this is enabled via a probabilistic 
reasoning mechanism. Modeling using probabilistic reasoning 
is a rational solution proposed in this paper. 

This paper contributes to solving the three important chal- 
lenges in identity management: 


How to model security screening in conditions when the 
role of intelligent supporting tools becomes critical [56], 
[58]; We accept Haykin’s concept of cognitive dynami- 
cal systems [25], and developed a multi-state cognitive 
identity management process; 

How to measure risks and trust in the cognitive identity 
management [57], [60], [63]; We accept the Pearl’s con- 
cept of the causality in cognitive dynamic systems [42] 
and developed the computational platform that combines 
various probabilistic measures of causal reasoning; and 

How to exploit available approaches and resources for 
risk and trust analysis [12], [13], [54]; We accept the 
probabilistic notion of risk and trust [10], [47], we 
defined the fundamental operations on risk and trust, and 
demonstrate how they are implemented in the proposed 
computational model. 


We revisit the risk and trust evaluation in complex sys- 
tems, and define the cognitive security platform for identity 
management. We deploy a multi-state model of the identity 
management [62]. The core of the proposed cognitive plat- 
form is the novel inference engine. The prototype software 
implementation of this engine in available in [7]. 


II. BASIC DEFINITIONS, STATEMENTS, AND PROPERTIES 


The core research questions of our study are as follows: 
1) Can we trust the cognitive identity management process? 
and 2) How risky are the decisions of the cognitive process? 
To answer those questions, the trust and risk in identity 
management should be defined first. 

Definition I: Risk is a measure of the extent to which an 
entity is threatened by a potential circumstance or event, and 
typically is a function of: (1) the adverse impact, or magnitude 
of harm, that would arise if the circumstance or event occurs; 
and (ii) the likelihood of occurrence [39]. 

Definition 2: Trust is the willingness of the trustor (evalua- 
tor) to take risk based on a subjective belief that a trustee 
(evaluatee) will exhibit reliable behaviour to maximize the 
trustor’s interest under uncertainty (e.g., ambiguity due to 
conflicting evidence and/or ignorance caused by complete 
lack of evidence) of a given situation based on the cognitive 
assessment [10]. 

Definition 3: Trustworthiness is the degree to which an 
information system can be expected to preserve the confi- 
dentiality, integrity, and availability of the information being 
processed, stored, or transmitted by the system across the full 
range of threats [39]. 

In our approach, risk, trust, and trustworthiness are mea- 
sured in terms of probabilities. These general notions of risk 
and trust should be specified within the concept of identity 
management at a cognitive checkpoint. 

A cognitive checkpoint is a complex dynamic system 
with the following elements of a cognitive system [25]: 1) 
perception-cycle (information gain about the state of identified 
person), 2) memory distributed across the entire system, 3) 
attention driven by memory to prioritize the allocation of 
available resources, and 4) intelligence driven by perception, 
memory, and attention; its function is to enable the control and 
decision-making mechanism to identify intelligent choices. 
These cognitive elements are distributed in the form of a 
multi-state multi-perception-cycle semi-automated model [62]. 
In addition, a cognitive checkpoint is a privacy-sensitive model 
[11], [14]. 

The goal of the cognitive semi-automated checkpoint is to 
answer the questions about (1) the risk of the decision (correct 
identification of a given individual or his/her behavioral pat- 
terns), and (2) the trust of the human operator in the system to 
the decision supplied by the AI (machine reasoning). This risk 
and trust assessment is based on multiple criteria such as relia- 
bility of sources, credibility of information, sensor precision, 
recognition algorithm performance etc. This assessment varies 
among the systems. Specifically, risk and trust assessment in a 
multi-state model is 1) distributed over states, 2) represented in 
causal relations, available for 3) propagation, 4) adjustment, 
5) prediction, and 6) fusion. The mechanism enabling these 
operations is known as probabilistic inference called machine 
reasoning. 

The key limitation factors of the risk and trust inference 
process are determined as follows. 1) The complexity of 


relationships between the states refers to various strategies to 
risk and trust assessment. Sources of information can have 
dual or multiple roles over the states. 2) Time limits of the 
operations place certain constraints on the sytem performance 
[28], [31], [45]. An example is a security problem known 
as the “bottleneck” and “traveler redress”. Such problems 
are the reason why the screening process should be well 
synchronized with other resources. This is of critical impor- 
tance, in particular, in the airport infrastructure. 3) Severity 
of consequences of the decisions made reflects the conceptual 
aspects of automated or semi-automated screening (decisions 
are made under incomplete, conflicting information, and the 
AI cognition is incomplete due to data or time constraints). 


II. FUNDAMENTAL OPERATIONS ON RISK AND TRUST 


We consider a multi-state screening of an individual (Fig. 
2) as a dynamic cognitive system that: 


1) monitors the traveler data throughout the process of e-ID 
checking, face recognition, and continuously assess the 
risk using various sources such as behavioral biometrics, 
watchlist, e-interview results etc., 

2) updates its states based on the intelligence gathered via 


e human-machine interactions (e-interviewer), 

e results of the biometric traits recognition based on 
machine learning, 

e results of the concealed object detection (by adjus- 
ting radar illumination, in particular), and others. 


Fig. 3 shows an example of the aforementioned functions in 
the context of the cognitive identity management for travelers 
crossing the borders: 


e The traveler’s identity management process is implemen- 
ted in four states, Sı (pre-screening based on Advanced 
Information), Sə (ID validation), S3 (Traveler authenti- 
cation), and S4 (Concealed object detection). Each state 
contains several sub-states. For example, the second state 
Sə includes four sub-states sW, s? ' s, and 5 

e In a semi-automated system, the traveler can be directed 
to the manual control after each state, or can be directed 
to the next state. 

e There are two types of dependency relationships that 
exist between states S; and sub-states SË ): intra-iteration 
dependency (sub-states in the same loop), and cross- 
iteration (previous states) dependency. 

e Each state S; and sub-state sv isa part of the “Layered 
Security Strategy”, a contemporary security doctrine [9], 
[29], [54]. 

e Each state S; and sub-state sv ) generates risk and 
trust assessments for further processing and inference 
using operations such as propagation, causal analysis, 
reasoning, etc. 


In our work, the taxonomy of risks is defined by the 
following fundamental operations: 

1) State risk and trust assessment, such as the risk of 
the ID being fraudulent, or risks to privacy throughout the 
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Fig. 3. Taxonomical view of the multi-state cognitive identity management process. Risks and trust are propagated from the first state (input) to the last state 
(output), and at each state their risk and trust status is causal analyzed, adjusted, fused, and predicted. Each state is represented by a perception-action cycle 


of sub-states. 


e-interviewing. In modeling, each risk is represented by a 
corresponding probability distribution function. 


2) Causal analysis of risks and trust is based on the “‘cause- 
effect” paradigm. In particular, Granger causality analysis is 
an advanced tool for this purpose [18], [48]. 


3) Risk and trust propagation. For example, if a person is 
on a watchlist, the risk of mis-identification or impersonation 
[61] is propagated through other states such as rik of mis- 
detection of a concealed item. The risk propagation problem 
was studied, in particular, as a multi-echelon supply chain 
problem in [40]. 


4) Risk and trust reasoning is the ability to form an 
intelligent conclusion or judgment using the risk and trust 
data. Causal reasoning is a judgment under uncertainty based 
on a causal probabilistic network. For example, assessed high 
risk to security based on a person’s profiling does not always 
result in an overall high risk. Each state operates as a cognitive 
agent that makes a decision regarding the user risk and trust 
based on the specific resources such as previous experience 
(statistics) and observed information. The final risk assessment 
of the decision regarding the subject is negation, or consensus 
between the states (agents). The theoretical framework of such 
approach is known as the group decision making [59], [60]. 

5) Risk and trust adjustment aims at improving the confi- 
dence of the risk assessment. For example, non-match of facial 
images, one from an ID and another from a current probe 


image, may result in a high risk indicator, but can be later 
adjusted using the face aging (also called “template aging”) 
factor. 

6) Risk mitigation. In most scenarios, the risk can be 
lowered through the process of periodical re-assessment, as 
some risks can be downgraded to an acceptable level level 
and/or mitigated through the feedback and action as explained 
below. 

7) Risk and trust prediction. In complex systems, meta- 
recognition, meta-learning, and meta-analysis can be used to 
predict the overall success (correct assessment of the risk 
and trust) or failure (incorrect one) of the system. The most 
valuable information for such risk assessment is in the “tails” 
of probabilistic distributions related to failures [15], [52]. 


IV. PERCEPTION-ACTION CYCLE 


The crucial element of a cognitive checkpoint is the risk 
perception-action cycle. A semi-formal description of a user 
risk and trust perception-action cycle is as follows: 


Person’s Risk & Trust Machine-Human, or 


Risk & Trust perception Machine-—Machine 
assessment state action 
[t+1] [t] [t] 


where a subjects risk assessment at time (level) [t + 1| 
is a result of a machine-human action over risk perception 


resources (state) at time (level) [t]. Notion of the perception- 
action cycle is needed in terms of maximizing information 
gain about the individual computed from the observable data. 
For this, we adopted the perception-action cycle for a dynamic 
cognitive system [25]. 
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Fig. 4. Perception-action cycle is the core of a cognitive checkpoint. Each 
state in the model in Fig. 3 is represented as a perception-action cycle. In this 
loop, the traveler risk is assessed under available resources, and system risks 
and trust. 


There are three key components of the perception-action 
cycle of the cognitive checkpoint (Fig. 4): An individual as a 
subject of multiple security measures applied in a supported 
infrastructure; A screening actuator that initializes execution 
of a security task or several security tasks; and An evidence 
analyzer that computes feedback information to the screening 
actuator. 

Given an individual, the “screening actuator’ initiali- 
zes screening such as authentication (e.g. e-ID), human- 
machine interactions using e-interviewer, risk assessment (e.g. 
biometric-enabled watchlist and multi-cross information ga- 
thering), and concealed object detection (e.g. weapon and 
dangerous items). The observables refer to the results of 
security tasks execution. Feedback information computed by 
the “evidence analyzer’ contains features such as: “failed 
authentication, additional data is needed’; next question should 
be generated; additional data is needed to complete risk asses- 
sment; and user action is needed to finalize concealed object 
detection (e.g. interview regarding orthopedic implants that are 
detected as dangerous items). Conceptually, the perception- 
action cycle reflects the user-adaptive properties based on a 
user model [35]. Note that the e-interview in the perception- 
action cycle is defined as the means to support the human- 
machine interactions using a spoken-dialog technology. 


V. INFERENCE ENGINE IN COGNITIVE IDENTITY 
MANAGEMENT 


In this section, we describe a tool called an inference engine 
for modeling the multi-state cognitive identity management 
process illustrated in Fig. 3. This computational platform 
satisfied the requirements formulated in Section II in the form 












of statements and properties, and in Section III in the form of 
fundamental operations on risks and trust. 


A. Probabilistic reasoning for decision under uncertainty 


There are two kinds of operations in human identification 
process under uncertainty (Fig. 3): 1) operations within the 
system states that perform security tasks such as ID validation, 
individual identification, his/her risk assessment, as well as 
trust assessment of the risk sources, and 2) cross-state opera- 
tions (causal analysis of risks and trust [56], [57], their propa- 
gation, fusion, reasoning and prediction [4], [40], [63]). Any 
of these operations can be implemented using probabilistic 
inference on a Bayesian network. The latter is a breakthrough 
concept introduced by Judea Pearl’s and explained as follows: 
“Causal reasoning is an indispensable component of human 
thought that should be formalized and algorithmitized toward 
achieving human-level machine intelligence” [42]. 

The classic Bayesian networks operate only on one of possi- 
ble projections of uncertainty, — point probabilities. However, 
there are other measure of uncertainty beyond the point pro- 
babilities. Combining causal reasoning with other uncertainty 
metrics was proposed, in particular, in [3], [44], a fuzzy 
Bayesian network has been developed. In [16], an interval 
metric was integrated within Bayesian networks. Reasoning 
mechanisms were extended with the belief Dempster-Shafer 
(DS) metric in [17], [46], [50]. The DS metric was extended 
in [51] and is known as Dezert-Smarandache (DSm) metric. 
We combine different uncertainty measures and place them 
on a unified reasoning platform [7]. This can be considered 
an expansion of the classic Bayesian network concept. In our 
approach, causal cognition refers to how a machine perceives, 
represents, and reasons about causal relationships of data: 


Point Probability, Sec. VI-A; 

Causal Probability Interval, Sec. VI-B; 
Cognition = DS. Belief, Sec. VI-C; 
DSm Belief, Sec. VI-D; 

FUZZY Probability; Sec. VI-E. 


B. Taxonomical view of the uncertainty models 


Our approach to handle uncertainty in the biometric-enabled 
identity management includes two components: (a) a graphical 
representation of a given scenario in the form of a causal 
network, and (b) a mechanism of uncertainty inference in 
different metrics. The causal network is a directed acyclic 
graph where each node in the graph denotes a unique random 
variable. A directed edge from node nı to node nə indicates 
that the value that is attained by nı has a direct causal 
influence on the value that is attained by ng. As for metrics, we 
use the probability metric, probability intervals, the DS belief 
metric and its extension DSm, as well as the fuzzy probability 
metric. 

Uncertainty inference requires data structures that will be 
referred to as conditional uncertainty tables (CUTs) in the 
general case. A CUT is assigned to each node in the causal 
network. Given a node n, the CUT assigned to n is a table that 


is indexed by all possible value assignments to the parents of 
n. Each entry of the table is a conditional “uncertainty model” 
that varies according to the choice of uncertainty metric: 

1) Point probability: Using the probability metric, the CUT 
is known as a Conditional Probability Table (CPT) and the 
causal networks are then referred to as Bayesian networks. 

2) Probability Interval: Using the probability interval me- 
tric, the CUT is known as a Conditional Probability Interval 
Table (CPIT) and the causal networks are then referred to as 
probability interval Bayesian networks. 

3) DS Belief: Using the DS metric, the CUT is known as 
a Conditional DS Table (CDST) and the causal networks are 
then referred to as DS Bayesian networks. 

4) DSm Belief: Using the DSm metric, the CUT is known as 
a Conditional DSm Table (CDSmT) and the causal networks 
are then referred to as DSm Bayesian networks. 

5) Fuzzy Probability: Using fuzzy probabilities, the CUT is 
known as a Conditional Fuzzy Probability Table (CFPT) and 
the causal networks are then referred to as fuzzy probability 
Bayesian networks. 

Given a risk/trust assessment scenario, the proposed ap- 
proach to its modeling includes the following steps: 


Algorithm for multi-metric causal modeling 


Step 1: Represent the risk/trust assessment scenario by a 
causal network. 

Step 2: Assign CUTs in the appropriate metric to the nodes. 
Step 3: Apply the observed evidence to the causal network 
and compute the posterior uncertainty model 

Step 4: Make a decision based on a heuristic analysis of the 
posterior uncertainty model. 





VI. RISK AND TRUST INFERENCE EXAMPLES 


This section presents an example of an inference scenario 
that demonstrates how to measure risks and trust, and how they 
are propagated through a causal network to form a decision 
based on various metrics. Any scenario described by the multi- 
state model (Fig. 3) can be described and proceed using this 
inference engine. In the example below, the state Sə (ID 
validation) from Fig. 3 is modeled. Due to the fuzziness of the 
variables involved and the lack of statistical data, the numerical 
values (probabilities and belief values) that populate the model 
are chosen arbitrarily for the sake of example and are not 
generated from real data. 


A. Probabilistic measures using a Bayesian network 


Consider the second state, So (Fig. 3) and (b) available 
statistics for the CPTs the probabilities and belief values 
in this example have been arbitrarily chosen and are not 
generated from real statistics). Following the general strategy 
of causal network design, we, 1) Assign each state and sub- 
states of the model to nodes in a causal network (Table 
I), 2) Connect the nodes R,S,V, and C according to their 
causal relationships, 3) Construct the CPTs based on expert’s 
or experimental knowledge, and 4) Make a decision; the 
belief network in Fig. 5 along with the CPTs provides a 


tool for probabilistic inference given various scenarios of ID 
validation. For example, P(C|V = v1,S = sı) (denoted 
P(C|v1, s1) in Fig. 3 for brevity) describes the scenario where 
a valid ID was authenticated on the first attempt. From the line 
P(C|v1, 51), we can infer that the information credibility is 
certainly high in this scenario. 
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Fig. 5. (a) Causal network of the ID validation scenario in terms of risk and 
trust factors. (b) Each state of the identity management process is mapped 
into a unified causal networks over five metrics. This is an example of how 
the state S2 ‘ID validation’ (Fig. 3) with four sub-states defined in Table I 
can be mapped onto the uniform causal graph. 


The Bayesian decision-making is based on evaluation of a 
prior probability given a posterior probability and likelihood 
(event happening given some history of previous events): 
Likelihood 


Prior Posterior 


————_— eee SS OSS Ss iis eee 
P(Hypothesis|Data) = P(Data|Hypothesis) x P(Hypothesis) 


As an example of probabilistic inference using the Bayesian 
realization of the belief network, consider the following scena- 
rio: IF the reliability of the ID source is known to be ‘low’ and 
the credibility of the result to be ‘high’: R = r3, and C = c1, 
THEN what is the posterior probability that the ID is valid: 
P(V =v,|R=r3,C = cı). This scenario models a situation 
of conflict where an unreliable ID produces a credible out- 
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TABLE I 
ASSIGNING STATES AND SUB-STATES OF THE MODEL TO A NODE IN THE CAUSAL NETWORK. 


Comment 


The node ‘ID source reliability’ (R € {ri,r2,r3}) denotes the three level (rı =‘high’, r2 =‘medium’, r3 =‘low’) 
reliability of the e-passport/ID authentication, which depends on many factors such as: country of issue, number of 
defense levels in the document, life cycle history, type of the chip, type of biometric modality, type of encryption, and 
the type of RFID mechanism. 


The node ‘Valid ID’ (V € {v1, v2}) denotes whether the e-passport ID should pass the validation procedure (valid v1) 
or not (invalid v2). The ‘valid’ or ‘invalid’ state reflects the true state of the e-passport and not simply the opinion of 
the authentication machine. 


The node ‘ID scan’ (S € {81, 82,83, 84}) denotes the outcome of the authentication of the e-passport. The scan is 
subject to various unwanted effects such as the individual’s mistakes in using the scanning device, scanner errors, as 
well as hidden reasons related to errors in the use of the database, conflicts of comparisons, and communication errors 
or delays. These effects are encoded in the form of the number of attempts at scanning the individual document; three 
attempts are allowed (s1, S2, $3), after which the individual is directed to manual control (s4). Ideally, if the individual’s 
e-passport is invalid, they should always be directed to manual control. 


The node ‘ID Information credibility’ (C € {c1,c2,c3}) describes the three level (cı =‘high’, co =‘medium’, 
c3 =‘low’) credibility of the outcome of the validation process. If the credibility of the validation process is known a 


priori, it can be used to compute posterior beliefs related to the validity of the individual document (node V). 


come. The final result is P(V = vı |R =13,C = c1) ~ 0.989. 
It is very likely that the ID was valid. 

Essential features of probabilistic measures of evidential 
reasoning using Bayesian networks are as follows: 1) they 
represent the certainty in an attribute-value as a point probabi- 
lity, and 2) they require complete knowledge of both prior and 
conditional probabilities, which might be difficult to determine 
in practice. 


B. Probability interval measures 


Theory from [16] describes operations for creating marginal 
probability interval distributions and conditional probability 
interval distributions from joint probability interval distribu- 
tions. Joint probability interval distributions can be formed 
from the probability interval distributions of independent va- 
riables. For the current example, an uncertainty radius of 0.1 
will be extended around each probability value, except to 
where the probability is decisively O or 1. For example, the 
probabilities for node V will become P(V = vı) = [0.89, 1], 
P(V = v2) = [0, 0.11]. 

As an example of inference using probability intervals, the 
same scenario will be considered: IF the reliability of the 
ID source is known to be ‘low’ and the credibility of the 
result to be ‘high’: R = r3, and Č = c1, THEN what is the 
posterior probability that the ID is valid: P(V = vı|R = 
r3,C = cı). The final result is: P(V = vı|R = r3,C = 
c1) = [0.574, 1]. This interval implies that within the flexibility 
allowed by the probability intervals, the posterior probability 
of the ID being valid can be low as 0.574. It should also be 
noted that the posterior probability interval will always contain 
the probability value produced by the Bayesian realization of 
the belief network (which in this case was 0.989). Probability 
interval measures partially improve the Bayesian technique, 
but does not have a convenient representation for ignorance 
or uncertainty. 


C. DS belief measures 


DS evidential theory has been considered when an in- 
complete probabilistic model is created, 1.e. when the prior 
probabilities and likelihood functions are unknown [17]. In 
contrast, the Bayesian inference does not have this allowance. 
A description of DS theory can be found in [46]. The proce- 
dure will be the same except for the CUTs. The approach here 
uses theory from [17], [20]. However, an alternative approach 
has been developed [50]. As an example of inference using the 
DS realization of the belief network, the same scenario is used: 
IF the reliability of the ID source is known to be ‘low’ and 
the credibility of the result to be ‘high’: R = r3, and C = c1, 
THEN what is the posterior belief and plausibility that the ID is 
valid: Bel(V = vı |R = r3,C = cı), PV = vı |R = 73,C = 
cı). The final result is: Bel(V = vı |R = r3, C = c1) ~ 0.878 
and PI(V = vı |R = r3, C = c1) ~ 0.951. Together, these two 
values form the interval of probability values [0.878, 0.951]. 
This interval implies that it is very likely that the ID was valid. 
Unlike the Bayesian network realization of the belief network, 
the DS realization of the belief network produces a range 
of probability values. Unlike probability intervals however, 
this range is heuristic and may not denote an objectively 
quantifiable value. 

It should also be noted that the range of probability values 
produced by the DS realization of the belief network (which 
in this case is [0.878,0.951]) does not necessarily contain the 
probability value produced by the Bayesian realization of the 
belief network (which in this case was 0.989). 

Fig. 6 explains the low bound, or belief, and upper bound, 
or plausibility. It shows what proportion of evidence is truly 
of a proposition and what proportion comes merely from 
ignorance: 


<DS uncertainty interval>= [Belief, Plausibility]| 
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Fig. 6. The DS uncertainty interval. The DS technique can handle uncertainty, 
or ignorance, ythat is, lack of knowledge of the complete probabilistic model 
required for Bayesian inference. 


where the lower bound is the belief confidence, and the 
upper bound is the plausibility confidence. Note that the DS 
formulation of a problem collapses into the probabilistic one 
using Bayesian network when the uncertainty interval is zero. 


D. DSm belief measures 


DSm theory is a generalization of DS theory. A description 
of the DSm approach can be found, in particular, in [51]. 
The DSm technique of plausible and paradoxical reasoning 
deals with high conflicting uncertainty and imprecise sources 
of evidence. For instance, data can be represented using a 
formal notion of reliability (refers to quality) and importance 
(refers to subjective preferences). 

As an example of probabilistic inference using the DSm 
realization of the belief network, the same scenario is used: 
IF the reliability of the ID source is known to be ‘low’ and 
the credibility of the result to be ‘high’: R = r3, and C = cy, 
THEN what is the posterior belief and plausibility that the ID is 
valid: Bel(V = vı |R = r3,C = c1), PV = vı |R = 73,C = 
cı) The final result is: Bel(V = v,|R = r3, C = c1) ~ 0.878 
and PI(V = v;|R=1r3,C' = c1) ~ 0.951. Together, these two 
values form the interval of probability values [0.878, 0.951]. 


E. Fuzzy probability measures 


The theory of fuzzy probabilities that will be used in this 
experiment is described in [3], [44]. A fuzzy probability 
consists of a center value that acts as a normal probability, 
and a lower and upper limit that contains the center value. The 
interval formed by the lower and upper limit is not subject to 
the same requirements as the probability intervals from [16]. 
For example, the first line of the CFPT corresponding to node 
C (ID information credibility) is shown below 


(1,1,1), C = cı (high); 
Pr(C|V = v1, S = sı) = 4 (0,0,0), C = c2(medium); 
(0,0,0), C = c3 (low). 


As an example of probabilistic inference using fuzzy pro- 
babilities, the same scenario will be considered: IF the 
reliability of the ID source is known to be ‘low’ and the 
credibility of the result to be ‘high: R = r3, C = c, 
THEN what is the posterior probability that the ID is valid: 
Pr(V = v1|R = r3,C = c1). The calculations are performed 
using theory that is described in [44]. The final result is: 
PV = v|R = r3,C = cı) = (0.113, 0.989, 8.146). This 
fuzzy probability implies that within the flexibility allowed 
by the fuzzy probabilities, the posterior point probability can 
be as low as 0.113. Despite an upper bound that exceeds 1, 
the true posterior point probability still cannot exceed 1. The 
upper bound of 8.146 simply shapes the membership function 
of the fuzzy posterior probability inside of the interval [0, 1]. 


F. Inference summary 


Table II provides a summary of inference engine operation 
for the scenario of the ID validation. In the first column of 
Table II, five uncertainty metrics are placed; in the second and 
third column, computing probabilities of decision on Valid ID 
and Invalid ID, respectively, are reported. In the fourth column, 
we refer the theory source of an uncertainty metric. In the 
last line, we emphasize that we infer the same scenario that 
is represented by the common causal graph (Fig. 5) but for 
reasoning was used five uncertainty metrics; this mechanism 
is placed on the software platform [7]. 


These five different uncertainty projections, or 
interpretations, strongly suggest that ` ID is Valid 
given the evidence ‘low’ ID source 
reliability and ‘high’ ID information 


credibility’. Note, that DS and DSm did not discover 
the data conflict features, but this may not be the case in 
general. Fig. 7 provides a graphical interpretation of the 
results reported in Table II. 

This inference summary reflects that initial risks and trust 
defined in terms of ‘low’ ID source reliability and ‘high’ ID in- 
formation credibility were fused by the reasoning mechanism 
and reported in different uncertainty metrics. 


VII. SUMMARY, CONCLUSION, AND FUTURE WORK 


Deep embedding of the AI into identity management sys- 
tems is an emerging trend. What was previously human-human 
interaction becomes human-machine and even machine- 
machine interactions with delegating decision-making to au- 
tonomous agents. The embodiment of this trend in our study 
is a proposed cognitive platform. In these new scenarios, risk 
and trust factors become the important issue for technology 
and policy developers, AI operators and users. This work 
contributes to solutions to this challenge, and proposes a multi- 
state cognitive identity management platform and inference 
engine that are able to predict various unwanted and often 
unknown effects in terms of risk and trust. We demonstrate 
it on a sample scenario describing the heterogeneous data 
management (document validity, contextual information and 
biometrics). The key conclusions are as follows: 


TABLE II 
A COMPARISON OF THE RESULTS OF THE INFERENCE EXAMPLE BASED ON DIFFERENT UNCERTAINTY METRICS FOR VALID ID (V = v1) AND INVALID 
ID (V = v2) SCENARIOS USING ‘LOW’ ID SOURCE RELIABILITY (R = r3) AND ‘HIGH’ ID INFORMATION CREDIBILITY (C = c1) 


. . Valid ID 
Uncertainty Metric 
PV nrc) 


Invalid ID Comment 
P(V = v2\|Pr3, c1) 


1. Probabilities 0.989 0.011 Inference on classic Bayesian network 
2. Probability Intervals 0.574, 1.000] 0.000, 0.426] Based on theory from [16] 


(0.574, 1. [0.000, 0. 
3. DS Belief Plausibility (0.878, 0.951] (0.049, 0.122] Based on theory from [17], [46] 
4. DSm Belief Plausibility [0.878,0.95 1] [0.049,0.122] Based on theory from [51] 





5. Fuzzy Probabilities (0.113,0.989,8.146) | (0.000, 0.011, 0.742) | Based on theory from [3], [44] 


Common causal network framework of the ID validation scenario in terms of risk and trust [7] 
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Fig. 7. A graphical interpretation of the inference operation for the ID 
validation scenario in five uncertainty metrics (Table II). The posterior 
uncertainty quantities over V (valid ID) given the evidence R = r3 (‘low’ 
ID source reliability) and C = cı (‘high’ ID information credibility). For 
each metric, the left column corresponds to V = vı (valid ID) and the right 
column corresponds to V = v2 (invalid ID). 


1) A multi-state model called a cognitive dynamic system 
is useful for representation of the identity management 
process. 

2) A computational platform of this system is based on 
probabilistic reasoning build upon a causal network with 
a variety of probability measurements. It provides a wide 
range of tools for risk and trust assessment, as well as 
prediction via inference on the causal network. 


In addition, the proposed model (Fig. 3 and Fig. 4) and the 
inference engine can be used for estimation of technology 
gaps. This is required to identify whether it is possible to 
achieve the design goals given the available resources and 
technologies [21]. 

The focus of our future work is the cognitive biases in 
machine reasoning in a multi-state identity management pro- 
cess. The biases lead to faults in the reasoning processes. The 
resulting risk and trust decisions may violate the commonly 
accepted normative principles. The analogous biases in human 
reasoning are the base for this study. An example is the 
overconfidence bias when eliciting probability distributions 


from experts in risk analysis [36]. The future work also 
includes an extension of the inference engine. In particular, 
it will benefit from integrating the causal analysis of risks and 
trust using Granger approach [8], as well as from a fusion 
of data represented by its probabilistic distribution (known as 
copula [5]). 
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